System for determining a total error description of at least one part of a computer program

ABSTRACT

A section of a computer program is used to ascertain a control flow description and a data flow description, and program elements are selected from the section of the computer program. For each selected program element, a stored fault description associated with a respective reference element is used to ascertain an element fault description which describes possible faults in the respective program element. The element fault descriptions are used to ascertain the overall fault description, taking into account the control flow description and the data flow description.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is based on and hereby claims priority to German PatentApplication No. 19925239.4 filed on Jun. 2, 2001, the contents of whichare hereby incorporated by reference.

REFERENCE TO COMPUTER PROGRAM LISTING, COMPACT DISC APPENDIX

A compact disc is included herewith and incorporated by reference hereinhaving thereon a computer program listing appendix in the ASCIIuncompressed text format with ASCII carriage return, ASCII line feed andall control codes defined in ASCII, having computer compatibility withIBM PC/XT/AT or compatibles, having operating system compatibility withMS-Windows and including file PROGRA˜6.TXT (Program-Listing.txt inWindows) of 130,121 bytes, created on Nov. 29, 2001.

BACKGROUND OF THE INVENTION

The invention relates to a method and a system for ascertaining anoverall fault description for at least one section of a computerprogram, and also to a computer product and a computer-readable storagemedium.

Such a method and such a system are known from N. Leveson, “SafetyVerification of ADA Programs Using Software Fault Trees”, IEEE Software,July 1991, pages 48–59, which discloses the practice of using computersto ascertain an overall fault description in the form of an overallfault tree for a computer program. For the computer program, a controlflow description is ascertained in the form of a control flow graph. Forvarious program elements of the computer program, a stored faultdescription associated with a respective stored reference element isused to ascertain an element fault description. The fault descriptionfor a reference element describes possible faults in the respectivereference element. The element fault descriptions in the form of elementfault trees are used to ascertain the overall fault description, takinginto account the control flow graph for the computer program.

The method and the system taught by Leveson have the followingdrawbacks, in particular. The overall fault tree ascertained isincomplete in terms of the faults examined and the causes thereof, andis therefore unreliable. Hence, this practice is not appropriate for usewithin the context of generating fault trees for a computer program forsafety-critical applications. The individual fault trees associated withthe reference elements are also incomplete and hence unreliable.

M. Weiser, “Program Slicing”, in IEEE Transaction on SoftwareEngineering, Vol. 10, No. 4, July 1984, pp. 352–357 provides an overviewof “slicing”. Slicing is the analysis carried out when searching forcauses of incorrect action in a computer program. This procedureinvolves checking whether the incorrect action has been caused by aninstruction currently under consideration. If this is not the case, theinstructions which deliver data for or control the execution of theinstruction are checked. This method is continued until no furtheroperations exist, that is to say it gets to input data for the computerprogram. In slicing, “slices” are ascertained. A slice shows whichinstructions are affected in what way by a value under consideration.Below, the term slicing is always understood to mean backwardly directedslicing.

P. Liggesmeyer, Modultest und Modulverifikation—State of the Art,Mannheim, Vienna, Zurich: BI Wissenschaftsverlag, 1990 discloses thepractice of ascertaining a control flow description and a data flowdescription for a computer program. In Liggesmeyer, this representationis used as an initial basis for “data-flow-oriented testing” of thecomputer program. The instructions (nodes) of the control flow graph areassigned data flow attributes (data flow description) which describe thenature of the data access operations contained in the instructions ofthe computer program. A distinction is drawn between write accessoperations and read access operations. Write access operations arereferred to as definitions (def). Read access operations are referred toas a reference. If a read access operation takes place in a decision,this access operation is referred to as a predicative reference (p-use,predicate use). A read access operation during calculation of a value isreferred to as a computational reference (c-use, computational use).

DIN 25424-1: Fehlerbaumanalysen; Methoden und Bildzeichen, September1981, which has a title that can be translated “Fault Tree Analyses;Methods and Graphic Symbols”, discloses principles relating to a faulttree. A fault tree is to be understood, as described in DIN 25424-1, tomean a structure which describes logical relationships between inputvariables for the fault tree which lead to a prescribed undesirableevent.

In addition, DIN 25424-2: Fehlerbaumanalyse; Handrechenverfahren zurAuswertung eines Fehlerbaums, Berlin, Beuth Verlag GmbH, April 1990which has a title that can be translated “Fault Tree Analysis; ManualComputation Methods for Evaluating a Fault Tree”, discloses variousmethods for fault tree analysis.

SUMMARY OF THE INVENTION

The invention is based on the problem of ascertaining an overall faultdescription which is more reliable than ascertaining an overall faulttree in the manner known on the basis of the method taught by Leveson.

In a method for ascertaining an overall fault description for at leastone section of a computer program, using a computer, at least thesection of the computer program is stored. A control flow descriptionand a data flow description are ascertained for the section of thecomputer program, and program elements are selected from the section ofthe computer program. For each selected program element, a stored faultdescription is used to ascertain an element fault description. The faultdescription is associated with a respective reference element. Theelement fault description describes possible faults in the respectiveprogram element. A fault description for a reference element describespossible faults in the respective reference element. The element faultdescriptions are used to ascertain the overall fault description, whichtakes into account the control flow description and the data flowdescription.

A system for ascertaining an overall fault description for at least onesection of a computer program has a processor which is set up such thatthe following method steps can be carried out:

-   -   at least the section of the computer program is stored,    -   a control flow description and a data flow description are        ascertained for the section of the computer program,    -   program elements are selected from the section of the computer        program,    -   for each selected program element, a stored fault description        associated with a respective reference element is used to        ascertain an element fault description which describes possible        faults in the respective program element,    -   a fault description for a reference element describes possible        faults in the respective reference element,    -   the element fault descriptions are used to ascertain the overall        fault description, taking into account the control flow        description and the data flow description.

A computer program product comprises a computer-readable storage mediumon which a program is stored which, when it has been loaded into amemory in a computer, allows the computer to carry out the followingsteps for ascertaining an overall fault description for at least onesection of a computer program:

-   -   at least the section of the computer program is stored,    -   a control flow description and a data flow description are        ascertained for the section of the computer program,    -   program elements are selected from the section of the computer        program,    -   for each selected program element, a stored fault description        associated with a respective reference element is used to        ascertain an element fault description which describes possible        faults in the respective program element,    -   a fault description for a reference element describes possible        faults in the respective reference element,    -   the element fault descriptions are used to ascertain the overall        fault description, taking into account the control flow        description and the data flow description.

A computer-readable storage medium stores a program which, when it hasbeen loaded into a memory in a computer, allows the computer to carryout the following steps for ascertaining an overall fault descriptionfor at least one section of a computer program:

-   -   at least the section of the computer program is stored,    -   a control flow description and a data flow description are        ascertained for the section of the computer program,    -   program elements are selected from the section of the computer        program,    -   for each selected program element, a stored fault description        associated with a respective reference element is used to        ascertain an element fault description which describes possible        faults in the respective program element,    -   a fault description for a reference element describes possible        faults in the respective reference element,    -   the element fault descriptions are used to ascertain the overall        fault description, taking into account the control flow        description and the data flow description.

The invention now makes it possible to ascertain a reliable overallfault description, which takes into account the peculiarities of acomputer program, for a computer program or a section thereof. Since theoverall fault description ascertained is much more reliable than theoverall fault description which can be ascertained on the basis of themethod taught by Leveson, the invention is also suitable forsafety-critical applications, i.e. in particular for ascertaining anoverall fault description for a safety-critical computer program.

The control flow description and/or the data flow description may be inthe form of a control flow graph or of a data flow graph, respectively.

The fault description may be in the form of a stored fault tree, and theelement fault description can be ascertained as an element fault tree.In this case, the overall fault description can be ascertained as anoverall fault tree. This development permits standardized representationof a fault description, which makes it much simpler for a user of thefault description to analyze same.

In one development, the overall fault description can be used for faultanalysis in the section of the computer program. This development hasthe advantage, in particular, that automated, reliable fault analysisbecomes possible, and if the fault descriptions are in the form of faulttrees the fault description can even be analyzed in a manner“normalized” in accordance with the fault tree analysis methods.

In another refinement, the overall fault description is ascertained asan overall fault tree, and the overall fault tree is altered in terms ofprescribable boundary conditions. The alteration can be made by adding acomplementary fault tree.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other objects and advantages of the present invention willbecome more apparent and more readily appreciated from the followingdescription of the exemplary embodiment of the invention as explained inmore detail below and as illustrated in the figures, in which:

FIG. 1 is a block diagram of a computer used to carry out the method inaccordance with the exemplary embodiment;

FIG. 2 is a flowchart showing the individual method steps of the methodin accordance with the exemplary embodiment;

FIG. 3 is a general fault tree, as formed basically for a referenceelement;

FIGS. 4 a to 4 c are flow diagrams for a control flow graph (FIG. 4 a),a slice (FIG. 4 b) and a fault tree (FIG. 4 c) for an instructionsequence as a reference element of a computer program;

FIGS. 5 a to 5 c are flow diagrams for a control flow graph (FIG. 5 a),a slice (FIG. 5 b) and a fault tree (FIG. 5 c) for a selection sequenceas a reference element of a computer program;

FIGS. 6 a to 6 c are flow diagrams for a control flow graph (FIG. 6 a),a slice (FIG. 6 b) and a fault tree (FIG. 6 c) for a loop as a referenceelement of a computer program;

FIG. 7 is a control flow graph with a data flow graph for a computerprogram in accordance with the exemplary embodiment;

FIGS. 8 a and 8 b are flow diagrams for a slice for the output of thevariable max (FIG. 8 a) and a slice for the variable avr (FIG. 8 b) forthe program in accordance with the exemplary embodiment;

FIG. 9 is a flow diagram for the slice for the variable avr, in which astructure of the loop from the program in accordance with the exemplaryembodiment is highlighted;

FIG. 10 is a flow diagram for a fault tree for the assumption that thevariable avr is incorrect;

FIG. 11 is a flow diagram for the overall fault tree based on FIG. 10,where redundant events from the overall fault tree based on FIG. 10 havebeen combined into one event.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Reference will now be made in detail to the preferred embodiments of thepresent invention, examples of which are illustrated in the accompanyingdrawings, wherein like reference numerals refer to like elementsthroughout.

FIG. 1 shows a computer 100 used to carry out the method describedbelow. The computer 100 has a processor 101 which is connected to amemory 102 via a bus 103. The bus 103 also has an input/output interface106 connected to it.

The memory 102 stores a computer program 104 for which an overall faultdescription is ascertained in the manner described below. In addition,the memory 102 stores a program 105 which implements the methoddescribed below. The memory also stores fault descriptions 115 fordifferent reference elements of a computer program. A fault descriptionfor a reference element describes possible faults in the respectivereference element. Various reference elements and fault descriptionsassociated with the reference elements are explained in detail below.

The input/output interface 106 has a keyboard 108 connected to it via afirst connection 107. A second connection 109 is used to connect theinput/output interface 106 to a computer mouse 110, and a thirdconnection 111 is used to connect the input/output interface 106 to ascreen 112 on which the overall fault description ascertained for thecomputer program 104 is displayed. A fourth connection 113 is used toconnect the input/output interface 106 to an external storage medium114.

FIG. 2 shows a block diagram illustrating the procedure in accordancewith the exemplary embodiment described below.

The stored computer program 104 is used to ascertain a control flowgraph 201 and a data flow graph 202 for the computer program 104.

Individual program elements are selected from the computer program (step203). For each program element selected, a stored fault descriptionassociated with a reference element corresponding to the selectedprogram element is used to ascertain an element fault description (step204). The element fault description describes possible faults in therespective selected program element.

On the basis of a fault event in the computer program (undesirableevent), which fault event is prescribed by a user and needs to beexamined, in a final step (step 205) an overall fault description forthe computer program is ascertained, for the fault instance to beexamined, from the element fault descriptions, taking into account thecontrol flow graph and the data flow graph. The overall fault treeascertained is displayed to the user on the screen 112.

FIG. 3 shows the basic procedure for creating a fault tree, as used inthe initial example in order to form the fault trees described below forthe reference elements.

For an event 301 selected by a user, it is necessary to ascertain howthe selected incorrect event can arise. In a computer program, incorrectoutput of a variable, as a selected incorrect event (undesirable event)301, can be caused by a control flow fault 303 and/or a data fault 304(INCLUSIVE-OR function 302).

A control flow fault 303 is to be understood to mean incorrect controlof the processing of the respective variable.

The data flow fault 304 is to be understood to mean a fault which arisesduring processing as a result of incorrect data. The data flow fault 304may originate in the processing step currently under consideration(block 306) and/or it may already have been present and may bemaintained only by fault propagation (block 307) (INCLUSIVE-OR function305).

On the basis of these considerations, the appropriate fault tree, aslice describing the instruction and a control flow graph arerespectively illustrated below for the following elements of a computerprogram:

-   -   an instruction sequence,    -   a selection element,    -   a loop element.

Instruction Sequence

The instruction sequence 401 comprises the three instructions shown inFIG. 4 a. In a first instruction 402, a first variable j is assigned thevalue 3 (j:=3). A second instruction 403 assigns a second variable k thevalue 2 (k:=2). A third instruction 404 forms a sum using the firstvariable and the second variable (i:=j+k).

In accordance with the practice disclosed in Weiser, a slice 410 isformed for this instruction sequence 401, as shown in FIG. 4 b. Thefirst instruction 402 and the second instruction 403 both affect thethird instruction 404, which is illustrated by two arrows 411, 412 inthe slice 410.

For the control flow graph 401, the fault tree 420 shown in FIG. 4 c isobtained for the following prescribed undesirable event 421: “Variable iis incorrect after the third instruction”.

The incorrect event 421 may have been produced by a fault in the thirdinstruction 404 under consideration itself, if the data up to thisinstruction step were correct (element 422 in FIG. 4 c). The incorrectevent 421 may also be caused by corrupt input data for the thirdinstruction, however, i.e. as a result of INCLUSIVE-ORing 424 the eventsthat the second variable k was incorrect after the second instruction(element 425) and/or that the first variable j was incorrect after thefirst instruction 402 (element 426). The result of the firstINCLUSIVE-ORed function 424 is INCLUSIVE-ORed with the event that thethird instruction is incorrect (INCLUSIVE-OR function 423).

Selection Element

With a selection element as reference element, it is necessary toconsider possibilities of fault in the data flows and in the controlflows within the computer program.

FIGS. 5 a to 5 c show a control flow graph 501 (cf. FIG. 5 a), a slice520 (cf. FIG. 5 b) and a fault tree 540 (cf. FIG. 5 c) for anIf-Then-Else instruction as a selection element. The control flow graph501 comprises the following six instructions:

-   -   a first instruction 502, which assigns a first variable j the        value 3 (j:=3),    -   a second instruction 503, which assigns a second variable k a        prescribable value (k:= . . . ),    -   a third instruction 504, which checks whether the second        variable k has a value greater than 0; if the value of the        second variable is greater than 0, the instruction branches to a        fourth instruction 505, otherwise it branches to a fifth        instruction 506,    -   the fourth instruction 505, which assigns a third variable i the        value of the second variable k (i:=k),    -   a fifth instruction 506, which assigns the third variable i the        value of the second variable k with a negative arithmetic sign        (i:=−k),    -   a sixth instruction 507, which processes the third variable i        further in an arbitrary manner.

For the control flow graph 501 shown in FIG. 5 a, the slice 520 shown inFIG. 5 b is obtained for the selection element. Solid edges in the slice520 show a data dependency between the different instructions. Dashededges indicate control dependencies between the appropriateinstructions.

The following definitions apply for the two edge types:

-   -   dashed edges, referred to as control edges below, are directed        from instructions which contain a predicative reference (failure        constructs, loop control) to the directly controlled        instructions, i.e. to those instructions which are executed only        if the predicate has a particular value. Control edges are drawn        only between the controlling instruction and directly        interleaved instructions. If a controlled block contains a        further interleaved control level, no control edges crossing        more than one level are drawn. Since a control relationship is        transitive, this indirect control can be inferred from the slice        by utilizing the transitivity.    -   solid edges, referred to as data flow edges below, are directed        from instructions in which a variable is defined to instructions        in which this variable is referenced. The variable under        consideration cannot be defined again between the definition and        the reference. This is referred to as a definition-free path for        the variable under consideration.

The slice is ascertained by searching the control flow graph, counter tothe edge direction, for a definition of the variable under considerationstarting from the instruction containing the variable underconsideration, for which the undesirable event is prescribed. Ifcomputational references exist for the definition, the method iscontinued recursively until no further additional nodes are found. Thedependencies found in this way between instructions are datadependencies. If a node under consideration is contained in a blockwhose execution is controlled directly by a decision, this represents acontrol dependency. For the predicative references of the variablesinvolved in the decision, nodes with appropriate definitions—that is tosay data flow dependencies—are recursively sought which have othercontrol dependencies.

FIG. 5 b shows the failure element's associated slice 520 withcorresponding control edges and data flow edges.

FIG. 5 c shows the fault tree 540 for the prescribed event “the thirdvariable i is incorrect before the 6th instruction” 541.

The following events result in the incorrect event 541 whenINCLUSIVE-ORed 542:

-   -   ANDing 543 the events that the decision in accordance with the        third instruction 504 is true (element 544) and a result of        INCLUSIVE-ORing 545 the events that the fourth instruction 505        is incorrect (element 546) and/or the first variable j is        incorrect after the first instruction 502 (element 547);    -   ANDing 550 the events that the decision in accordance with the        third instruction 504 is false (element 551) and a result of        INCLUSIVE-ORing 552 the events that the fifth instruction is        incorrect (element 553) and/or that the first variable j is        incorrect after the first instruction 502 (element 554);    -   INCLUSIVE-ORing 560 the following events: the decision in        accordance with the third instruction 504 is incorrect (element        561) and/or the second variable k is incorrect after the second        instruction 503 (element 562).

Multiple Selection Element

A multiple selection element as reference element can be handled inaccordance with the scheme described above by breaking down the multipleselection into a cascade of two-way selection elements processed inaccordance with the procedure above, in order thus to ascertain a faulttree for a multiple selection element.

Loop

FIGS. 6 a to 6 c show a fault tree 601 (cf. FIG. 6 a), the correspondingslice 620 (cf. FIG. 6 b) and the associated fault tree 640 (cf. FIG. 6c) for the reference element of a loop. The control flow graph 601 for aloop element comprises the following seven instructions:

-   -   a first instruction 602, which assigns a first variable i the        value 0 (i:=0),    -   a second instruction 603, which assigns a second variable j an        unspecified value (j:= . . . ),    -   a third instruction 604, which prescribes a further unspecified        value for a third variable k (k:= . . . ),    -   a fourth instruction 605, which, as a loop instruction,        specifies a condition that a fifth instruction and a sixth        instruction are executed until the value of the second variable        is j>0 (WHILE j>0 DO),    -   a fifth instruction 606, which assigns the first variable i a        value which is obtained from the sum of the previous value of        the first variable and the product of the second variable and        the third variable (i:=i+k*j),    -   a sixth instruction 607, which assigns the second variable j a        value which is obtained by decreasing the original value of the        second variable j by the value 1 (j:=j−1),    -   a seventh instruction 608, which processes the first variable i        further in a prescribable manner ( . . . :=i . . . ).

FIG. 6 b shows the corresponding slice 620 for the control flow graph601 shown in FIG. 6 a with associated control flow edges and data flowedges. The fault tree 640 shown in FIG. 6 c is formed for the prescribedevent 641 that the “first variable i is incorrect before the seventhinstruction”.

The fault tree 640 is obtained by INCLUSIVE-ORing 642 the following fourevents:

-   -   a first event 643, which describes a situation in which the        first variable i is incorrect after the first instruction 602,    -   ANDing 644 the events that the loop body has been passed through        at least twice (element 645) and the event that the sixth        instruction 607 is incorrect (646),    -   ANDing 650 the event that the loop body has been executed at        least once (element 651) and INCLUSIVE-ORing 652 of the        following four events:        -   a) the fifth instruction 606 is incorrect (element 653),        -   b) the first variable i is incorrect after the first            instruction (element 654),        -   c) the second variable j is incorrect after the second            instruction (element 655),        -   d) the third variable k is incorrect after the third            instruction (element 656),    -   INCLUSIVE-ORing 660 the following three events:        -   e) the decision in accordance with the fourth instruction            605 is incorrect (element 661),        -   f) the second variable j is incorrect after the second            instruction 603 (element 662),        -   g) ANDing 663 the events that the sixth instruction is            incorrect (element 664) and the event that the loop body has            been passed through at least once (element 665).

The fault trees described above, which are associated with theindividual reference elements, are stored in the memory 102 as faulttrees 115.

FIG. 7 shows a control flow graph 700 for the following computerprogram:

input (n);

input (a);

max:=0;

sum:=0;

i:=2;

WHILE i=n DO

-   -   IF max<a    -   THEN max:=a    -   sum:=sum+a    -   i:=i+1

avr:=sum/n;

output (max);

output (avr);

For the control flow graph 700 comprising 13 instructions (referencesymbols 1, 2, 3, . . . , 13) which is shown in FIG. 7, FIG. 8 a showsthe associated slice 800 for the variable max and FIG. 8 b shows theassociated slice 810 for the variable avr. The numbering of theindividual instructions in the slices corresponds to the numbering ofthe individual instructions in the control flow graph 700 from FIG. 7.

FIG. 9 shows the slice 900 for the variable avr, as shown in FIG. 8 b.The structure of the loop element contained in the program shown aboveis highlighted in bold. This structure corresponds to the slice shown inFIG. 6 b for a loop element.

An overall fault tree 1000 for the computer program shown above is shownin FIG. 10. The overall fault tree for the computer program is producedby instantiating the appropriate fault tree associated with thereference element which corresponds to the selected program element.

By starting from the prescribed undesirable event and working backward,the overall fault tree 1000 is thus ascertained using the fault treesassociated with the reference elements.

FIG. 10 contains the fault tree 1000 relating to the event that “thevariable avr is incorrect before the thirteenth instruction” (element1001). The variable avr may be incorrect before the thirteenthinstruction 13 on account of at least one of the following three events,as is also shown in the slice 900 shown in FIG. 9 for the variable avr(INCLUSIVE-OR function 1002):

-   -   an input variable n is incorrect after the first instruction 1        (element 1003),    -   the eleventh instruction 11 is incorrect (element 1004),    -   the value of the variable sum is incorrect before the eleventh        instruction 11 (element 1005).

The variable sum is incorrect before the eleventh instruction 11(element 1005) if at least one of the following events is satisfied(INCLUSIVE-OR function 1006):

-   -   the variable sum is incorrect after the fourth instruction 4        (element 1007),    -   ANDing 1008 the event that the loop body has been executed at        least twice (element 1009) and the event that the tenth        instruction 10 is incorrect (element 1010),    -   ANDing 1011 the event that the loop body has been executed at        least once (element 1012) and the result of INCLUSIVE-ORing 1013        the following four events:        -   a) the ninth instruction 9 is incorrect (element 1014),        -   b) the variable sum is incorrect after the fourth            instruction 4 (element 1015),        -   c) the variable i is incorrect after the fifth instruction 5            (element 1016),        -   d) the variable a is incorrect after the second instruction            2 (element 1017),    -   INCLUSIVE-ORing 1018 the following events:        -   e) the decision in accordance with the sixth instruction is            incorrect (element 1019),        -   f) the variable i is incorrect after the fifth instruction            (element 1020),        -   g) the variable n is incorrect after the first instruction            (element 1021),        -   h) ANDing 1022 the event that the 10th instruction is            incorrect (element 1023) and the event that the loop body            has been executed at least once (element 1024).

To provide for clearer illustration, the fault tree 1000 from FIG. 10 isaltered such that events shown a plurality of times in the fault tree1000 are combined to form one node of a cause-effect graph 1100 (cf.FIG. 11).

The fault tree 1000 shown in FIG. 10 is subjected to a fault treeanalysis method, as described in DIN 25424-2, which analyzes an analysisof the computer program for a prescribed undesirable event.

The text below illustrates alternatives and further opportunities forapplication of the exemplary embodiment described above.

The overall fault tree produced using the method described above can beused for various purposes:

-   -   description of the fault generation or propagation of incorrect        action by a section of a computer program within the context of        safety analysis or reliability analysis for the computer        program,    -   analysis of software fault mechanisms, for example within the        context of test case generation.

The invention has been described in detail with particular reference topreferred embodiments thereof and examples, but it will be understoodthat variations and modifications can be effected within the spirit andscope of the invention.

1. A method for using a computer to ascertain an overall faultdescription for at least one section of a computer program, comprising:storing fault descriptions associated with reference elements todescribe possible faults in the reference elements, respectively;storing a section of the computer program; ascertaining a control flowdescription for the section of the computer program, to describe a flowof control information in the section of the computer program;ascertaining a data flow description for the section of the computerprogram, to describe a flow of data in the section of the computerprogram; combining the control and data flow descriptions into a jointflow description for the section of the computer program; selectingprogram elements from the section of the computer program; matching eachselected program element with a corresponding reference element toobtain a fault description associated with the corresponding referenceelement and thereby describe possible faults in the selected programelement; ascertaining the overall fault description as an overall faulttree using the fault descriptions of the program elements from thecomputer program, with a structure of the overall fault descriptiontaking into account a structure of the joint flow description; andaltering the overall fault tree in terms of prescribable boundaryconditions.
 2. The method as claimed in claims 1, wherein the controlflow description is a control flow graph.
 3. The method as claimed inclaims 1, wherein the data flow description is a data flow graph.
 4. Themethod as claimed in claim 1, wherein each of the fault descriptionsassociated with the reference elements is a fault tree, and wherein theoverall fault description is ascertained as the overall fault tree basedon fault trees associated with the corresponding reference element foreach selected program element.
 5. The method as claimed in claims 1,further comprising performing fault analysis in the section of thecomputer program using the overall fault description.
 6. The method asclaimed in claim 1, wherein said altering comprises adding acomplementary fault tree.
 7. A system for ascertaining an overall faultdescription for at least one section of a computer program, comprising:a storage unit to store the at least one section of the computer programand fault descriptions for reference elements, each fault descriptiondescribing possible faults in one of the reference elements; and aprocessor, coupled to said storage unit, to ascertain control and dataflow descriptions for the at least one section of the computer program,the control flow description describing a flow of control information inthe at least one section of the computer program and the data flowdescription describing a flow of data in the at least one section of thecomputer program, to combine the control and data flow descriptions intoa joint flow description for the at least one section of the computerprogram, to select program elements from the at least one section of thecomputer program, to match each selected program element with acorresponding reference element and obtain a fault descriptionassociated with the corresponding reference element and thereby describepossible faults in the selected program element; and to ascertain theoverall fault description as an overall fault tree using the faultdescriptions of the program elements from the computer program, with astructure of the overall fault description taking into account astructure of the joint flow description; and to alter the overall faulttree in terms of prescribable boundary conditions.
 8. The method asclaimed in claim 7, wherein said processor ascertains the control flowdescription as a control flow graph.
 9. The system as claimed in claim7, wherein said processor ascertains the data flow description as a dataflow graph.
 10. The system as claimed in claim 7, wherein said storageunit stores each fault description as a fault tree, and wherein saidprocessor ascertains each element fault description as an element faulttree and the overall fault description as an overall fault tree.
 11. Thesystem as claimed in claim 7, wherein said processor further performsfault analysis in the at least one section of the computer program usingthe overall fault description.
 12. The system as claimed in claim 7,wherein said processor alters the overall fault tree by adding acomplementary fault tree.
 13. A computer-readable storage medium storingat least one program to control a computer to perform a method forascertaining an overall fault description for at least one section of acomputer program, said method comprising: storing a section of thecomputer program; ascertaining a control flow description for thesection of the computer program, to describe a flow of controlinformation in the section of the computer program; ascertaining a dataflow description for the section of the computer program, to describe aflow of data in the section of the computer program; combining thecontrol and data flow descriptions into a joint flow description for thesection of the computer program; selecting program elements from thesection of the computer program; storing a fault description for eachreference element to describe possible faults in the reference element;matching each selected program element with a corresponding referenceelement to obtain a fault description associated with the correspondingreference element and thereby describe possible faults in the selectedprogram element; ascertaining the overall fault description as anoverall fault tree using the fault descriptions of the program elementsfrom the computer program, with a structure of the overall faultdescription taking into account a structure of the joint flowdescription; and altering the overall fault tree in terms ofPrescribable boundary conditions.
 14. A computer-readable storage mediumas claimed in claim 13, wherein said computer alters the overall faulttree by adding a complementary fault tree.